Read as
Why this module exists. Encryption is the universal control demanded by every regulator and standard, yet the operational distinction between “at rest”, “in transit”, and “in use” is routinely conflated. This module covers each layer, the modern primitives, and the integration patterns that make encryption operationally manageable.
Why this module exists. “We encrypt everything” usually means “we encrypt some things at some layer, with key management we haven’t audited.” This module is the structured framework for an encryption strategy that survives both audit and operational reality.
The three layers
| Layer | Protects against | Primitives |
|---|---|---|
| At rest | Stolen disk, exfiltrated backup, lost laptop | AES-256 in GCM/XTS |
| In transit | Network eavesdropping, MitM | TLS 1.3, mTLS for service-to-service |
| In use | Compromised hypervisor, malicious co-tenant | Confidential computing (Intel TDX, AMD SEV-SNP) |
DPDP Act in your stack?
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.
Book DPDP scoping call
Replies in 4 working hrs · India-only · Senior consultants